How a cyber weapon is made

Image of Jonas Lejon
Jonas Lejon

August 29, 2019

What is the difference between an ordinary damaging code and an advanced cyber weapon, and exactly how is a cyber weapon deployed and executed? Stuxnet was, according to many security researchers, one of the first and most recognizable cyber weapons. The resources needed to develop Stuxnet and its different parts was something only one nation had at the time: Several programming languages, large amounts of modules, several zero-days, knowledge of the centrifuges in the Uranium enrichment facility Natanz, and stolen certificates, are just a few reasons that make it probable only one nation was behind it.


The delivery mechanism

This part of the cyber weapon ensures it hits its target - or reaches the right client, hardware, or network. The delivery can be done using an e-mail, USB-memory, CD-ROM, or by physically connecting to the server, client, TV, or similar devices. This is something which the Vault7 leaks from the CIA showed, not entirely unusual that HUMINT and SIGINT resources were used. The delivery might happen in the form of an implant that is installed when the equipment is sent to the customer. To reach its final target, which might be further into the network, the zero-days, or code, can be used to detect and bypass so-called airgaps. Networks that are sensitive and not connected to the internet, for example.


The warhead makes sure that the goal of the cyber weapon is completed. It can be to influence a process in a SCADA system or perhaps destroy vital parts in systems that are crucial for the community. It could also exfiltrate sensitive information from the target system.

The communication mechanism

This part is not always necessary but makes it possible to (using a unique ID) “call home” and notify that the cyber weapon has reached its target or completed a sub-goal. The communication part is important if the cyber weapon is hidden during an extended period and works to activate the warhead on command.

To make the discovery by network forensics and intrusion detection systems more difficult, popular sites such as Dropbox, Twitter, or Instagram can be used over TLS encrypted communication.
Steganography, where messages are exfiltrated with the help of pictures, has even been observed, including communication with IP-addresses where a satellite link is used, and the antagonist has had the opportunity to read the communication with the help of SIGINT or other equipment.
If the communication mechanism is already using existing infrastructure to update software or check if new versions are available, the process of detection gets increasingly more difficult. The communication mechanism can also be used to download and activate new modules, droppers, etc.


One of the oldest and most common methods is obfuscating or encrypting. Even relatively simple things such as modularity can make it difficult to see the whole of a cyber weapon, for example, sniff-functions can be present in a module, or key logs in a module, etc.
There are even environmental keyed payloads where a module can be encrypted with a key that is only located in the target network or system. Another important aspect for those developing cyber weapons is OPSEC. Since everything leaves a trace and something that is increasingly common is false flagging. Traces can lead towards one country, when in fact it is ’developed’ in a completely different one. Language, time zones, etc. can be changed.

Collaborate – don’t monitor

In Holm Security's platform, you can work together with your outsourcing partner. You can both access the Security Center (our control panel) and be able to prioritize and discuss vulnerabilities. The platform then becomes a tool that promotes cooperation with your outsourcing partner and enables you to work more efficiently with your IT security.


Sometimes the warhead is located in the unit's RAM and disappears if the unit crashes or restarts. Creators of cyber weapons want it to stay put for a longer time and there are an unbelievable amount of ways to hide.


A difference between, for example, WannaCry and a cyber weapon are that the objective of the cyber weapon is to only propagate within a smaller area. It can be a smaller organization or network. A smaller spread can make eventual detection more difficult. Propagation can be a must in the delivery, and then maybe there is a gap between the process network/secret network and the internet.

Shake up 

Cyber weapon developers put resources on developing weapons that will remain hidden. The weapon deletes itself when the mission is complete, and there might be a built-in counter that automatically erases the weapon once completed.

Holm Security VMP picture cta